In June of 2020, the U.S. Department of Justice issued updated guidance on the key elements necessary for an effective compliance program.[1] The guidance asks three primary questions:
-
‘Is the corporation’s compliance program well designed?’
-
‘Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively?
-
‘Does the corporation’s compliance program work’ in practice?
Below is a self-assessment detailing the requirements of the U.S. Department of Justice guidance against which you can measure your own program to find opportunities for incremental improvement and advancement to a higher level of program maturity.
Is the Corporation’s Compliance Program Well Designed?
Risk Assessment
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Risk management process: Company has documentation to show it has identified the varying risks presented by, among other factors, the location of its operations; its industry sector; the competitiveness of the markets in which it operates; the regulatory landscape; risks posed by potential clients and business partners; transactions with foreign governments; payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; and charitable and political donations. | |||
Company has documented its analysis and prioritization of the particular risks it faces based on factors including frequency, severity, likelihood, impact, and the effectiveness of existing controls and mitigation measures. | |||
Company can show its compliance program has been tailored based on the metrics and information identified in its risk assessment, including an assessment of the risk of criminal conduct, and has taken appropriate steps to design, implement, or modify each aspect of its compliance program to reduce the risk of criminal conduct. | |||
Risk-tailored resource allocation: Company can demonstrate it prioritizes addressing high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors, instead of spending a disproportionate amount of time policing low-risk areas. The company can also show it gives greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than it does to more modest and routine hospitality and entertainment expenditures. | |||
Updates and revisions: Company’s risk assessment process is documented and periodically updated and revised to reflect lessons learned, and it is based upon continuous access to operational data and information across functions. Company can show its periodic review has led to updates in policies, procedures, and controls to account for risks discovered through misconduct or gaps in the compliance program. | |||
Lessons learned: The company has a documented process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region. |
Policies, Procedures, and Controls
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Design: Company has a written code of conduct that sets forth, among other things, its commitment to full compliance with relevant laws, and it is accessible and applicable to all company employees. | |||
Company has established written policies and procedures that incorporate the culture of compliance into its day-to-day operations. | |||
Company has a documented process for designing and implementing new policies and procedures, and updating existing policies and procedures, that involves input from the business units. | |||
Company has a documented process for the management of policies and procedures, including authoring, approvals, version control, audit trail, and archives. | |||
Company can demonstrate the steps it has taken to determine whether specific policies/procedures/practices make sense for particular business segments/subsidiaries. | |||
Comprehensiveness: Company can demonstrate it monitors and implements policies and procedures that reflect and help to effectively mitigate the spectrum of risks it faces, including changes to the legal and regulatory landscape. | |||
Accessibility: Company can show it has communicated its policies and procedures to all employees and relevant third parties, ensuring there are no linguistic or other barriers to foreign employees’ access. | |||
Policies and procedures have been published in a searchable format for easy reference and company tracks access to various policies and procedures to understand which policies are attracting more attention from relevant employees. | |||
Responsibility for operational integration: Company has a documented process for integrating policies and procedures and ensures they have been rolled out in a way that ensures employees’ understanding of the policies. | |||
Company can show it ascertains whether employees understand policies and procedures related to high-risk laws and regulations, as well as the code of conduct, using surveys or knowledge checks, and makes modifications as warranted. | |||
Company can show its compliance policies and procedures are mapped to specific risks and reinforced through the company’s internal control systems. | |||
Company has documentation to show it performs audits on policies, procedures, and controls to determine whether they have been implemented effectively—especially in high-risk areas. | |||
Company can show it has taken steps to ensure policies and procedures have been integrated into the organization, including through periodic training (see section C on training) and through certifications and attestations from all directors, officers, relevant employees, and, where appropriate, agents and business partners. | |||
Gatekeepers: Company can demonstrate it has provided guidance and training to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities) to ensure they know what misconduct to look for and when and how to escalate concerns. |
Training and Communications
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Risk-based training: Company has a training program designed to reinforce its policies, procedures, and controls and to relay information in a manner tailored to the audience’s size, sophistication, and subject matter expertise. For instance, some employees might receive practical advice or in-depth case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise, while others might receive shorter, more targeted training sessions to enable employees to spot issues and raise them to appropriate compliance, internal audit, or other risk management functions. | |||
Company has documentation of it having provided training that adequately addresses lessons learned from prior compliance incidents. | |||
Company can demonstrate it has conducted a risk-based analysis to determine who should be trained and on which subjects and ensures tailored training for high-risk and control employees, including training to address specific risks in areas where misconduct has previously occurred as well as enhanced or supplementary training for supervisory employees. | |||
Company tracks and maintains a record of attendance and completion for all company training programs and has a documented method for informing senior management of employees who fail to attend/complete required training. | |||
Form, content, and effectiveness: Company can show it tests employees on what they have learned and has a documented process for addressing gaps in understanding for employees who fail all or a portion of the testing. | |||
Company has a documented process through which employees can ask questions arising out of training. | |||
Company has established and documented methods to measure the effectiveness of its training curriculum and evaluates the extent to which training has an impact on employee behavior and operations. | |||
Company can show it has offered training in the form and language appropriate for the audience and provided it in both online and in-person formats with a clear rationale for its choice of format. | |||
Communications about misconduct: Company can demonstrate its senior management takes action to ensure employees know the company’s position concerning misconduct, including communications when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the types of misconduct that lead to discipline.) | |||
Availability of guidance: Company can show it makes resources available to employees to provide guidance relating to compliance policies. | |||
Company has documentation to show it periodically assesses whether its employees know when to seek advice and whether they are actually willing and know how to do so. |
Confidential Reporting Structure and Investigation Process
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Effectiveness of the reporting mechanism: Company can demonstrate it has established corporate governance mechanisms that can effectively detect and prevent misconduct, including an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. | |||
Company can show it has ensured the reporting mechanism has been publicized to the company’s employees and other third parties. | |||
Company can demonstrate it takes measures to test whether employees are aware of the hotline and feel comfortable using it and whether it is actually being used. | |||
Company has a documented method for assessing the seriousness of allegations it receives. | |||
Company’s complaint-handling process is well documented and includes proactive measures to create appropriate processes for the submission of complaints, processes to protect whistleblowers, and a workplace atmosphere without fear of retaliation. | |||
Company has documented processes for handling the investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline. | |||
Company can demonstrate it has ensured the compliance function has full access to reporting and investigative information. | |||
Properly scoped investigations by qualified personnel: Company has a documented method for determining which complaints or red flags merit further investigation and ensures investigations are properly scoped. | |||
Company can show it takes steps to ensure investigations are independent, objective, appropriately conducted, and properly documented. | |||
Company has a clear and documented process to determine who should conduct an investigation and who has the authority to make that determination. | |||
Investigation response: Company can demonstrate it applies timing metrics to ensure responsiveness in the handling of investigations. | |||
Company has a documented process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations. | |||
Resources and tracking of results: Company can show its reporting and investigation mechanisms are sufficiently staffed and funded. | |||
Company can show it collects, tracks, analyzes, and uses information from its reporting mechanisms, reports, and investigation findings to uncover patterns of misconduct or other red flags indicating compliance weaknesses. | |||
Company can show it periodically tests the effectiveness of its hotline, for example by tracking a report from start to finish. |
Third-Party Management
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Risk-based and integrated processes: Company can show it applies risk-based due diligence to its third-party relationships in a manner appropriate for the size and nature of the company, transaction, and third party and corresponding to the nature and level of the enterprise risk identified by the company. | |||
Company can show it has ensured its due diligence process has been integrated into the relevant procurement and vendor management processes. | |||
Company can demonstrate an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions. | |||
Appropriate controls: Company can show it ensures there is appropriate business rationale for needing a third party in a transaction as well as the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. | |||
Company has documented how it monitors its third parties, whether it has audit rights to analyze the books and accounts of third parties, and, if so, whether the company has exercised those rights in the past. | |||
Company has documented how it trains its third-party relationship managers about compliance risks and how to manage such risks. | |||
Company can demonstrate how it incentivizes compliance and ethical behavior by third parties and whether it engages in risk management of its third parties throughout the lifespan of the relationship or only during the onboarding process. | |||
Management of relationships: Company can show it has considered and analyzed the compensation and incentive structures for third parties against their compliance risks to ensure they are appropriate for the industry and geographical region, and to ensure that compensation is commensurate with the services to be rendered. | |||
Company can demonstrate it has ensured that contract terms with third parties specifically describe the services to be performed and the applicable payment terms. | |||
Company has an established and documented method for ensuring services have actually been performed by its third parties prior to payment. | |||
Company can show it is engaged in ongoing monitoring of third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications from third parties. | |||
Real actions and consequences: Company can demonstrate it tracks red flags that are identified from due diligence on third parties and has an established and documented method addressing those red flags. | |||
Company documents and tracks third parties that do not pass its due diligence process or that are terminated following a compliance failure and takes steps to ensure that those third parties are not hired or rehired at a later date. | |||
If company discovers a third party is involved in misconduct, company can show it reviews the due diligence performed to determine how any red flags were resolved to ensure there are no gaps in the due diligence process and determines whether similar third parties should be suspended, terminated, or audited as a result of compliance issues. |
Mergers and Acquisitions (M&A)
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Due diligence process: Company can show it performs comprehensive pre-M&A due diligence on any acquisition targets, allowing the company to accurately evaluate each target’s value and take into account the costs of any corruption or misconduct by the target. | |||
Integration in the M&A process: Company can show the compliance function has been integrated into the merger, acquisition, and integration process. | |||
Process connecting due diligence to implementation: Company has documented any misconduct or risk of misconduct, identified during due diligence, as well as the specific persons who conducted the risk review for the acquired/merged entities, and the M&A due diligence process generally. | |||
Company has a documented process for tracking and remediating misconduct or misconduct risks identified during the due diligence process. | |||
Company has a documented process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities. | |||
Company has a documented process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. |
Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?
Commitment by Senior and Middle Management
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Conduct at the top: Company has documentation to demonstrate that senior management (i.e., the board of directors and executives) has clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. | |||
Company has documentation to demonstrate its middle management has, in turn, reinforced these standards and encouraged employees to abide by them. | |||
Company has documentation to demonstrate how senior leaders have, through both their words and actions, encouraged compliance. Documentation includes the concrete actions they have taken to demonstrate leadership in the company’s compliance and remediation efforts and how they have modelled proper behavior to subordinates. | |||
Company can demonstrate it has systems in place to ensure managers have not tolerated greater compliance risks in pursuit of new business or greater revenues, have not encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively performing their duties. | |||
Shared commitment: Company has documentation to demonstrate their senior leaders and middle-management stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) have a shared commitment to compliance and compliance personnel, including support of compliance risk remediation efforts, and can demonstrate they have persisted in that commitment in the face of competing interests or business objectives. | |||
Oversight: Company has documentation to show compliance expertise is available on the company’s board of directors and that the board of directors and/or external auditors hold executive or private sessions with the compliance and control functions. Company has documentation of the types of information the board of directors and senior management examine in their exercise of oversight of the compliance program generally and of areas in which misconduct has occurred specifically. |
Autonomy and Resources
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Structure: Company has documented how the compliance program is structured and the reasoning for structuring it as it has. | |||
Company can show its compliance and internal audit functions are conducted at a level sufficient to ensure their independence and accuracy, and that they are empowered and positioned to effectively detect and prevent misconduct. | |||
Company has documentation of where the compliance function is housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board) and to whom it reports (Is the compliance function run by a designated chief compliance officer or another executive within the company, and does that person have other roles within the company?) as well as the reasoning behind the chosen structure. | |||
Company is prepared to explain whether compliance personnel are dedicated to compliance responsibilities, or whether they have other, noncompliance responsibilities within the company, and the reasoning behind that choice. | |||
Seniority and stature: Company has documentation to show the compliance function is comparable to other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers. | |||
The turnover rate for company’s compliance and relevant control function personnel is tracked over time and is comparable to other functions. | |||
Company can show its compliance function is involved in the company’s strategic and operational decisions. | |||
Company has documented how it has responded to specific instances where compliance has raised concerns and has documentation to demonstrate there have been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns. | |||
Experience and qualifications: Company can show its compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities and can also demonstrate the level of experience and qualifications in these roles has changed over time as the compliance program has matured and the organization’s risk profile has changed. | |||
Company can demonstrate it has invested in further training and development of compliance and other control personnel. | |||
Company has documented who reviews the performance of the compliance function, the specific review process used, and who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel. | |||
Funding and resources: Company can demonstrate there has been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts and has allocated sufficient funds for same. | |||
Company has documented any instances when requests for resources by compliance and control functions have been denied and the specific reasoning behind such denials. | |||
Data resources and access: Company can demonstrate its compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions and can explain any existing impediments that limit access to relevant sources of data and what the company is doing to address them. | |||
Autonomy: Company can show its compliance and relevant control functions have direct reporting lines to the board of directors and/or audit committee or can explain the specific reasoning for why they do not. | |||
Company documents the steps it takes to ensure the independence of compliance and control function personnel. It documents how often compliance and controls functions meet with the board of directors, and if members of senior management are present for these meetings, why they were included instead of allowing for an independent meeting. | |||
Outsourced compliance functions: If company outsources all or parts of its compliance functions to an external firm or consultant, it is prepared to explain the reasoning behind this decision and who is responsible for overseeing or liaising with the external firm or consultant. Documentation should also include the level of access the external firm or consultant has to company information and how the effectiveness of the outsourced process has been assessed. |
Incentives and Disciplinary Measures
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Human Resources process: Company has documentation of clear disciplinary procedures and can show it enforces them consistently across the organization and ensures disciplinary measures are commensurate with the violations. | |||
Company can demonstrate its communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct. | |||
Company can show it publicizes disciplinary actions internally, where appropriate and possible, as a valuable deterrent. | |||
Company can show it provides positive incentives—personnel promotions, rewards, and bonuses—for improving, developing, and reinforcing the compliance program or otherwise demonstrating ethical leadership (e.g., making management bonuses contingent upon ethical leadership and/or making work on compliance matters a means of career advancement). | |||
Company has documented criteria for who participates in making disciplinary decisions and a documented process to ensure the same process is followed for each instance of misconduct. | |||
Company can show it communicates actual reasons for discipline to employees unless there are there legal or investigation-related reasons for restricting information. Company has a process to ensure pre-textual reasons for discipline are not provided in an attempt to prevent whistleblowing or outside scrutiny. | |||
Consistent application: Company can show its compliance function monitors its investigations and all resulting discipline for consistency. If there are similar instances of misconduct that were treated differently, company is prepared to explain the reasoning behind the disparity. Company can demonstrate disciplinary actions and incentives have been fairly and consistently applied across the organization. | |||
Incentive systems: Company has documentation to show it has considered the implications of its incentives and rewards on compliance. | |||
Company has documentation of the ways in which it incentivizes compliance and ethical behavior, including specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations. |
3. Does the Corporation’s Compliance Program Work in Practice?
A. Continuous Improvement, Periodic Testing, and Review
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Internal audit: Company can show it has engaged in meaningful efforts to review its compliance program and ensure it is not stale (e.g., surveying employees to gauge the compliance culture and evaluate the strength of controls and/or conducting periodic audits to ensure that controls are functioning well). | |||
Company can demonstrate it has taken reasonable steps to ensure the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct and periodic evaluation of the effectiveness of the organization’s program. | |||
Company can demonstrate it has a documented process for determining where and how frequently Internal Audit will undertake audits, how often it conducts assessments in high-risk areas, the rationale behind its processes and how audits are actually carried out. | |||
Company can show it documents relevant audit findings and the progress of remediation efforts and that these have been reported to management and the board on a regular basis. Company has documentation showing how management and the board have followed up on audit findings. | |||
Control testing: Company can show it has reviewed and audited its compliance program and can demonstrate the testing of controls, collection and analysis of compliance data, and interviews of employees and third parties the company has undertaken and how the results of these are reported and action items are tracked. | |||
Evolving updates: Company can show it conducts a periodic gap analysis to determine whether particular areas of risk are not sufficiently addressed in its policies, controls, or training. | |||
Company can demonstrate it regularly reviews and adapts its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks. | |||
Culture of compliance: Company has documented processes for regularly measuring its culture of compliance, which includes input from all levels of employees to determine, for example, their perceptions of senior and middle management’s commitment to compliance and whether employees believe the organization treats all wrongdoers consistently and fairly. | |||
Company has documented the steps it has taken in response to the results of its measurement of the compliance culture. |
B. Investigation of Misconduct
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Properly scoped investigation by qualified personnel: Company can demonstrate it has ensured investigations have been properly scoped and were independent, objective, appropriately conducted, and properly documented. | |||
Response to investigations: Company can show investigations have been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory managers and senior executives, and has a documented process for responding to investigative findings, including criteria detailing with whom investigative findings are shared. |
C. Analysis and Remediation of Any Underlying Misconduct
Measure of Effectiveness |
Current Status/Actions Already Taken |
Improvement Opportunities |
Action Plan for Incremental Improvement |
---|---|---|---|
Root cause analysis: Company can demonstrate it regularly conducts thoughtful root cause analysis of misconduct and timely and appropriately remediates issues to address the identified root causes, including whether any systemic issues were identified and who in the company is involved in conducting this analysis. | |||
Company can show it tracks root causes over time to reveal trends and potential control weaknesses. | |||
Prior weaknesses: Company can show it determines which controls have failed and, if policies or procedures should have prohibited the misconduct, whether they were effectively implemented, and whether functions that had ownership of these policies and procedures have been held accountable for failures. | |||
Payment systems: Company has documented how misconduct has been funded (e.g., purchase orders, employee reimbursements, discounts, petty cash), which processes could have prevented or detected improper access to these funds, and whether those processes have been improved. | |||
Vendor management: If vendors have been involved in misconduct, company can show it has determined whether the documented process for vendor selection was properly completed and whether red flags were missed. | |||
Prior indications: Company can show it considered whether there were prior opportunities to detect misconduct, such as audit reports identifying relevant control failures or allegations, complaints, or investigations, and has documentation to show the company’s analysis of why such opportunities were missed and what should be changed to prevent such misses in the future. | |||
Remediation: Company has documented the specific changes it has made to reduce the risk that the same or similar issues will occur in the future, including the specific remediation steps taken to address the issues identified in the root cause and missed opportunity analyses. | |||
Company can show it conducted follow-up actions and audits of changes made and remediation actions taken to determine whether the corrective actions taken are effective at preventing future misconduct. | |||
Company has documented all remedial actions taken, including, for example, disciplinary action against past violators uncovered by the compliance program. | |||
Accountability: Company has documentation to show the disciplinary actions it took in response to misconduct, when they were taken, and whether managers were held accountable for misconduct that occurred in areas under their supervision. | |||
Company can show it considered disciplinary actions for failures in supervision and regularly tracks its record of employee discipline relating to the types of conduct at issue (e.g., number and types of disciplinary actions). | |||
Company documents and tracks instances where employees were terminated or otherwise disciplined (e.g., through reduced or eliminated bonuses, a warning letter, etc.) for different types of misconduct. | |||
Company can demonstrate appropriate discipline of employees, including those identified by the company as responsible for misconduct, either through direct participation or as a result of failure in oversight, as well as discipline for those with supervisory authority over the area in which misconduct has occurred. | |||
Company can show it recognizes the seriousness of specific types of misconduct, accepts responsibility for them, and implements measures to reduce the risk of repetition of such misconduct, including measures to identify future risks. |